[Python-modules-team] Bug#873815: pyjwt: PyJWT vulneratibility for some keys
Leonidas S. Barbosa
leo.barbosa at canonical.com
Thu Aug 31 12:35:41 UTC 2017
Package: pyjwt
Version: 1.4.2-1
Severity: important
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer,
Upstream already fixed that issue, here is the debdiff that was applied in
order to fix this.
* SECURITY UPDATE: symmetric/asymmetric key confusion attacks
- debian/patches/CVE-2017-11424.patch: Throw if key is an PKCS1
PEM-encoded public key in jwt/algorithms.py, jwt/api_jws.py,
jwt/api_jwt.py, tests/keys/testkey_pkcs1.pub.pem,
tests/test_algorithms.py, tests/test_api_jws.py, tests/test_api_jwt.py.
- CVE-2017-11424
Thanks for considering the patch.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pyjwt_1.4.2-1ubuntu1.debdiff
Type: text/x-diff
Size: 6009 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20170831/909ff17a/attachment.diff>
More information about the Python-modules-team
mailing list